From 984b2934fe324de7ce0d6fc7fff9591dcd8b39e5 Mon Sep 17 00:00:00 2001 From: rithu john Date: Fri, 6 Jan 2017 15:36:56 -0800 Subject: [PATCH 1/2] *: update vendored go-oidc --- glide.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/glide.yaml b/glide.yaml index 901d8eb0..650bd8bf 100644 --- a/glide.yaml +++ b/glide.yaml @@ -66,7 +66,7 @@ import: # Used for server integration tests and OpenID Connect connector. - package: github.com/coreos/go-oidc - version: dedb650fb29c39c2f21aa88c1e4cec66da8754d1 + version: 2b5d73091ea4b7ddb15e3ac00077f153120b5b61 - package: github.com/pquerna/cachecontrol version: c97913dcbd76de40b051a9b4cd827f7eaeb7a868 - package: golang.org/x/oauth2 From 05cef99a31d0a8cc911bc7af3a468884e4cd1940 Mon Sep 17 00:00:00 2001 From: rithu john Date: Fri, 6 Jan 2017 15:39:36 -0800 Subject: [PATCH 2/2] vendor: revendor --- glide.lock | 6 +++--- vendor/github.com/coreos/go-oidc/verify.go | 7 +++++++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/glide.lock b/glide.lock index 592c9498..a4741bda 100644 --- a/glide.lock +++ b/glide.lock @@ -1,12 +1,12 @@ -hash: 723f2faad8f09a97ffb5ce647705b8ee41dbf2f81f91488c60f23d102789a23b -updated: 2016-12-08T11:11:10.172119799-08:00 +hash: 22c01c4265c210fbf3cd2d55e9451b924a3301e35053c82ebe35171ab7286c83 +updated: 2017-01-06T15:38:29.812891187-08:00 imports: - name: github.com/cockroachdb/cockroach-go version: 31611c0501c812f437d4861d87d117053967c955 subpackages: - crdb - name: github.com/coreos/go-oidc - version: dedb650fb29c39c2f21aa88c1e4cec66da8754d1 + version: 2b5d73091ea4b7ddb15e3ac00077f153120b5b61 - name: github.com/ghodss/yaml version: bea76d6a4713e18b7f5321a2b020738552def3ea - name: github.com/go-sql-driver/mysql diff --git a/vendor/github.com/coreos/go-oidc/verify.go b/vendor/github.com/coreos/go-oidc/verify.go index 13c0f934..67185a26 100644 --- a/vendor/github.com/coreos/go-oidc/verify.go +++ b/vendor/github.com/coreos/go-oidc/verify.go @@ -145,6 +145,13 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok } } + // If a checkExpiry is specified, make sure token is not expired. + if v.config.checkExpiry != nil { + if t.Expiry.Before(v.config.checkExpiry()) { + return nil, fmt.Errorf("oidc: token is expired (Token Expiry: %v)", t.Expiry) + } + } + // If a set of required algorithms has been provided, ensure that the signatures use those. var keyIDs, gotAlgs []string for _, sig := range jws.Signatures {